作者:清新阳光 ( http://hi.baidu.com/newcenturysun)
日期:2007/07/21 ( 此申明)
AV终结者已经猖狂一段时间了,经过杀毒软件厂商的共同努力,其势头有所减弱,但最近突然发现又出现了小规模的爆发,并且用户反映专杀也被杀掉了,今天
拿到了这个新的变种,立即分析了一下,
AV终结者新变种(随机7位字母病毒)的分析
。特别值得注意的是此变种开始下载各种流氓软件(以前一般是下载一些木马)分析报告:
File: pmovrao.exe
Size: 26816 bytes
MD5: 8A43F7A2EB37728D5D808C4E72B65242
SHA1: A61CB036BC9A851A61E79F815A688DC04603C509
CRC32: 2B59AD2F
运行后在C:\Program Files\Common Files\Microsoft Shared
和C:\Program Files\Common Files\System下面分别生成两个随机7位字母组合成的exe
我此次测试是C:\Program Files\Common Files\System\gamkqme.exe和
C:\Program Files\Common Files\Microsoft Shared\vdiwghf.exe
C:\Program Files\meex.exe
C:\Program Files\syuhxcx.inf(随机7位字母组合)
删除C:\WINDOWS\system32\verclsid.exe
遍历D~Z分区 在根目录下生成
autorun.inf和随机7位字母组合成的exe(我这里是pmovrao.exe)
右键菜单无变化
检测有无如下文件
如果有将其改名为随机7位字母
各个分区下面的autorun.inf
MSInfo\wniapsvr.exe
MSInfo\Shell.exe
MSInfo\Shell.pci
system32\progmon.exe
system32\internt.exe
Web\css.css
Com\lsass.exe
IME\svchost.exe
IME\smss.exe
Debug\debug.exe
Common Files\svchost.cnc
Common Files\Relive.dll
Internet Explorer\msvcrt.dll
Internet Explorer\PLUGINS\SysWin64.Jmp
Internet Explorer\PLUGINS\SysWin64.Sys
Internet Explorer\PLUGINS\SysWin64.Tao
将HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
HKLM\SYSTEM\CurrentControlSet\Services\helpsvc
HKLM\SYSTEM\CurrentControlSet\Services\wscsvc
HKLM\SYSTEM\CurrentControlSet\Services\wuauserv
的启动选项改成 已禁用
删除
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}
破坏安全模式
修改HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
值为0x00000000 破坏显示隐藏文件
更改C:\Program Files\Common Files\Microsoft Shared
C:\Program Files\Common Files\System的属性 为隐藏
添加如下IFEO值
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ArSwp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AST.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGHOST.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FYFireWall.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IceSword.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KaScrScn.SCR
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPfwSvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRegEx.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KRepair.com
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KsLoader.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvfwMcl.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvReport.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVScan.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVStub.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvXP_1.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch9x.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loaddll.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPFMntor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QHSET.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQKav.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwcfg.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwmain.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rsaupd.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shcfg32.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmartUp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.EXE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAttachment.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxCfg.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upiea.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBCleaner.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WoptiClean.exe
指向C:\Program Files\Common Files\Microsoft Shared 下面的随机7位字母的exe
监视并关闭如下进程
avp.com
avp.exe
runiep.exe
PFW.exe
FYFireWall.exe
rfwmain.exe
rfwsrv.exe
KAVPF.exe
KPFW32.exe
nod32kui.exe
nod32.exe
Navapsvc.exe
Navapw32.exe
avconsol.exe
webscanx.exe
NPFMntor.exe
vsstat.exe
KPfwSvc.exe
RavTask.exe
Rav.exe
RavMon.exe
mmsk.exe
WoptiClean.exe
QQKav.exe
QQDoctor.exe
EGHOST.exe
360Safe.exe
iparmo.exe
adam.exe
IceSword.exe
360rpt.exe
360tray.exe
AgentSvr.exe
AppSvc32.exe
autoruns.exe
avgrssvc.exe
AvMonitor.exe
CCenter.exe
ccSvcHst.exe
FileDsty.exe
FTCleanerShell.exe
HijackThis.exe
Iparmor.exe
isPwdSvc.exe
kabaload.exe
KaScrScn.SCR
KASMain.exe
KASTask.exe
KAV32.exe
KAVDX.exe
KAVPFW.exe
KAVSetup.exe
KAVStart.exe
KISLnchr.exe
KMailMon.exe
KMFilter.exe
KPFW32X.exe
KPFWSvc.exe
KRegEx.exe
KRepair.com
KsLoader.exe
KVCenter.kxp
KvDetect.exe
KvfwMcl.exe
KVMonXP.kxp
KVMonXP_1.kxp
kvol.exe
kvolself.exe
KvReport.kxp
KVScan.kxp
KVSrvXP.exe
KVStub.kxp
kvupload.exe
kvwsc.exe
KvXP.kxp
KvXP_1.kxp
KWatch.exe
KWatch9x.exe
KWatchX.exe
loaddll.exe
MagicSet.exe
mcconsol.exe
mmqczj.exe
nod32krn.exe
PFWLiveUpdate.exe
QHSET.exe
RavMonD.exe
RavStub.exe
RegClean.exe
rfwcfg.exe
RfwMain.exe
RsAgent.exe
Rsaupd.exe
safelive.exe
scan32.exe
shcfg32.exe
SmartUp.exe
SREng.EXE
symlcsvc.exe
SysSafe.exe
TrojanDetector.exe
Trojanwall.exe
TrojDie.kxp
UIHost.exe
UmxAgent.exe
UmxAttachment.exe
UmxCfg.exe
UmxFwHlp.exe
UmxPol.exe
UpLive.exe
upiea.exe
AST.exe
ArSwp.exe
USBCleaner.exe
rstrui.exe
过滤如下“关键字”,如果这些在窗口出现的话,那么会被关闭
木马
木馬
病毒
杀毒
殺毒
查毒
防毒
专杀
專殺
卡巴
江民
瑞星
毒霸
恶意软件
流氓软件
上报
QQ安全
举报
报警
杀软
殺軟
防殺
防杀
专 杀(这就是金山的专杀不能启动的原因,关键字也被过滤了)
360安全
QQ医生
进程
System
Microsoft Shared
微点
上報
舉報
進程
Process
Virus
Trojan
连接网络 下载木马和流氓软件
http://www.xxxxx.com/soft/fox/GameSetup.exe
http://www.xxxxx.com/soft/fox/Setup.exe
到program files下面 分别命名为1AGameSetup.exe
和2BSetup.exe
两个分别是木马和流氓软件的安装包
木马和流氓软件植入完毕后生成如下文件(包括但不限于)
C:\WINDOWS\system32\drivers\809igndb.sys
C:\WINDOWS\system32\drivers\acpidisk.sys
C:\WINDOWS\system32\drivers\iExplorer.exe
C:\WINDOWS\system32\drivers\kz0q8id6.sys
C:\WINDOWS\system32\1b1.dll
C:\WINDOWS\system32\60e41.exe
C:\WINDOWS\system32\ad_2201.exe
C:\WINDOWS\system32\b601.dll
C:\WINDOWS\system32\bnkgqpadwh.dll
C:\WINDOWS\system32\mprmsgse.axz
C:\WINDOWS\system32\mscpx32r.det
C:\WINDOWS\031.bmp
C:\WINDOWS\3fa1.exe
C:\WINDOWS\716dairx.exe
C:\WINDOWS\716daiwm.exe
C:\WINDOWS\716daiwow.exe
C:\WINDOWS\716daizx.exe
C:\WINDOWS\716dgj.exe
C:\WINDOWS\716dwl.exe
C:\WINDOWS\ad_2201.exe
C:\WINDOWS\boolan95.exe
C:\WINDOWS\dodolook386.exe
C:\WINDOWS\fa7c1.txt
C:\WINDOWS\kulionrx.dll
C:\WINDOWS\kulionrx.exe
C:\WINDOWS\kulionwl.dll
C:\WINDOWS\kulionwm.dll
C:\WINDOWS\kulionzx.dll
C:\WINDOWS\kulionzx.exe
C:\WINDOWS\my_70087.exe
C:\WINDOWS\video.dll
C:\WINDOWS\winow.dll
C:\WINDOWS\winow.exe
C:\WINDOWS\winwl.exe
C:\WINDOWS\winwm.exe
C:\WINDOWS\wmsj.exe
C:\WINDOWS\齐看网Setup2.exe
C:\Program Files\1AGameSetup.exe
C:\Program Files\2BSetup.exe
C:\PROGRA~1\yxry
C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
里面包括一些流氓软件和 木马
sreng日志表现如下
服务
[Windows dcwd RunThem / dcwd][Running/Auto Start]
[Fax 2Client / ms_2fax][Running/Auto Start]
驱动程序
[809ignd / 809igndb][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\809igndb.sys>
[acpidisk / acpidisk][Running/Auto Start]
<\??\C:\WINDOWS\system32\drivers\acpidisk.sys>
[kz0q8id6 / kz0q8id6][Running/Auto Start]
<\??\C:\WINDOWS\system32\drivers\kz0q8id6.sys>
浏览器加载项
[Info cache]
{385AB8C6-FB22-4D17-8834-064E2BA0A6F0} 技有限公司> [ff Class] {FAAAC0F6-94BE-4466-934B-7C53666A2F41} 解决方法: 一.清理病毒主程序 由于相关专杀已经失效,所以只能手动查杀 1.下载Icesword这个软件 http://www.ttian.net/website/2005/0829/391.html 解压后 把Icesword.exe改名 运行 点击 菜单栏 文件>设置 钩选 禁止进线程创建 确定 查看窗口中 单击 进程 查找有无C:\Program Files\Common Files\Microsoft Shared 和C:\Program Files\Common Files\System下面的随机7位字母的进程(记住他们的名字) 如果有分别结束他们 另外如果装有瑞星防火墙 需要结束rfwsrv.exe进程 然后 点击 点击 菜单栏 文件>设置 去掉 禁止进线程创建的钩 确定 还是Icesword这个软件 单击左下角的文件按钮 找到刚才C:\Program Files\Common Files\Microsoft Shared 和C:\Program Files\Common Files\System的 两个随机7位字母的exe 分别右键 删除他们 另外还需要删除如下文件 C:\Program Files\meex.exe C:\Program Files\syuhxcx.inf(随机7位字母组合) 以及各个分区下面的autorun.inf和随机7位字母组合成的exe(一定不要忘记这步) 2.下载sreng http://download.kztechs.com/files/sreng2.zip 运行 启动项目 注册表 删除所有红色的IFEO项目 删除[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]下面的随机7位字母启动项目 本次测试为如下键值 sreng 修复>Windows shell/IE 选中 显示隐藏文件 单击 下面的修复 sreng 修复>高级修复>修复安全模式 在弹出的窗口中点击 是 二.清理下载的木马和流氓软件 此时 病毒主程序已经清理完毕 下面清理下载的木马和流氓软件 注意:由于病毒下载的木马和流氓软件各异,所以此清除办法仅供参考 首先 需要下载http://www.i170.com/attach/92EB2ED9-6D11-441D-8A28-2A9B08F0452E Xdelbox1.3这个软件 然后重启计算机 进入安全模式(开机后不断 按F8键 然后出来一个高级菜单 选择第一项 安全模式 进入系统) 打开sreng “启动项目”-“服务”-“Win32服务应用程序”中点“隐藏经认证的微软项目”, 选中以下项目,点“删除服务”,再点“设置”,在弹出的框中点“否”: Windows dcwd RunThem / dcwd Fax 2Client / ms_2fax 在“启动项目”-“服务”-“驱动程序”中点“隐藏经认证的微软项目”, 选中以下项目,点“删除服务”,再点“设置”,在弹出的框中点“否”: acpidisk / acpidisk kz0q8id6 / kz0q8id6 系统修复-浏览器加载项-找到如下项目 点击删除项目,在弹出的对话框中点“是” [ff Class] {FAAAC0F6-94BE-4466-934B-7C53666A2F41} 双击我的电脑,工具,文件夹选项,查看,单击选取"显示隐藏文件或文件夹" 并清除"隐藏受保护的操作系统文件(推荐)"前面的钩,电脑资料
《AV终结者新变种(随机7位字母病毒)的分析》(https://www.unjs.com)。在提示确定更改时,单击
“是” 然后确定
点击 菜单栏下方的 文件夹按钮(搜索右边的按钮)
从左边的资源管理器 进入C盘
删除如下文件
C:\Program Files\yxry文件夹
C:\WINDOWS\system32\1b1.dll
C:\WINDOWS\system32\60e41.exe
C:\WINDOWS\system32\ad_2201.exe
C:\WINDOWS\system32\b601.dll
C:\WINDOWS\system32\mprmsgse.axz
C:\WINDOWS\system32\mscpx32r.det
C:\WINDOWS\031.bmp
C:\WINDOWS\3fa1.exe
C:\WINDOWS\716dairx.exe
C:\WINDOWS\716daiwm.exe
C:\WINDOWS\716daiwow.exe
C:\WINDOWS\716daizx.exe
C:\WINDOWS\716dgj.exe
C:\WINDOWS\716dwl.exe
C:\WINDOWS\ad_2201.exe
C:\WINDOWS\boolan95.exe
C:\WINDOWS\dodolook386.exe
C:\WINDOWS\fa7c1.txt
C:\WINDOWS\kulionrx.dll
C:\WINDOWS\kulionrx.exe
C:\WINDOWS\kulionwl.dll
C:\WINDOWS\kulionwm.dll
C:\WINDOWS\kulionzx.dll
C:\WINDOWS\kulionzx.exe
C:\WINDOWS\my_70087.exe
C:\WINDOWS\video.dll
C:\WINDOWS\winow.dll
C:\WINDOWS\winow.exe
C:\WINDOWS\winwl.exe
C:\WINDOWS\winwm.exe
C:\WINDOWS\wmsj.exe
C:\WINDOWS\齐看网Setup2.exe
C:\Program Files\1AGameSetup.exe
C:\Program Files\2BSetup.exe
C:\WINDOWS\system32\drivers\acpidisk.sys
C:\WINDOWS\system32\drivers\iExplorer.exe
C:\WINDOWS\system32\drivers\kz0q8id6.sys
打开Xdelbox1.3
把下列文件输入进去
C:\WINDOWS\system32\drivers\809igndb.sys
C:\WINDOWS\system32\bnkgqpadwh.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
添加 然后选中3个文件 立即重启执行删除
再次重启后 恭喜你,所有病毒都被干掉了!
图片请查看原始链接:
http://hi.baidu.com/newcenturysun/blog/item/7b0aa8316b9b4caa5fdf0e49.html